Verify authenticity of files & packages with shasum & openssl

“shasum, openssl & sha1, sha256, md5 hashes

Front End Pro Tip: This is going to be a multipart series on privacy, security, encryption & cryptography

Wikipedia History SHA-1, SHA-2, SHA-3

Wikipedia SHA-1 “In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.

SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.”

Wikipedia SHA-2 “SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.”

Wikipedia SHA-3 “SHA-3 is not meant to replace SHA-2, as no significant attack on SHA-2 has been demonstrated. Because of the successful attacks on MD5 and SHA-0 and theoretical attacks on SHA-1, NIST perceived a need for an alternative, dissimilar cryptographic hash, which became SHA-3”

SHA’s in the wild

Using shasum

I recently downloaded Wine for Mac to run Windows programs. Underneath the download link was a hash/checksum for SHA256. To verify a hash you can use $ shasum and the following command to verify the integrity of the package.

Reading the man file for shasum allows you to see what additonal options & commands are available. Most notably for this use case the --algorithm flag can be specified. To open the manual file run $ man shasum these are the available algorithm types:

Using openssl

I recently downloaded qBittorent for Mac. On issues associated with filesharing I’ll only say that filesharing is not inherently illegal nor is it inherently safe as it relies on a network of trust & by default your ip address is exposed to peers in the swarm. The qBittorent site initially list a SHA-1 Checksum though the downloads link provided lists MD5, SHA1 & SHA256 hashes. openssl can work much like the shasum to verify the integrity of a file or package.

openssl is a larger tool than what I’ll talk about here. More information on openssl can be found in the man file $ man openssl. Support for hash algorithms is as follows: